SURICATA

More documents

Recommendations

Info

MIXED MODE : USAGE 1. Add iptables rules with NFQ/NFLOG target : # we want to be sure not to cut off a webserver, # but we want to inspect port 80 # Send other than 80 to iPS –nft add rule filter forward tcp dport not 80 queue num 0 # Port 80 to IDS –nft add rule filter forward tcp dport 80 log group 2 Iptables way : –iptables -A FORWARD -p tcp ! --dport 80 -j NFQUEUE –iptables -A FORWARD -p tcp –dport 80 -j NFLOG --nflog-group 2
MIXED MODE : USAGE 2. We may want to modify suricata config file. In this case, we could modify nflog or nfq because we are using them as examples. But it depends on the runmode you choice.
Page 1 and 2: SURICATA Mixing IPS/IDS Mode Novemb
Page 3 and 4: Agenda 1. Introduction 2. IPS 3. Nf
Page 5 and 6: IPS MODE How the IPS mode works in
Page 7 and 8: IPS MODE On the administrative side
Page 9 and 10: IPS MODE In IPS mode, we have two a
Page 11 and 12: IPS MODE Working in IPS mode, the b
Page 13 and 14: IPS MODE Enabling stream.inline per
Page 15 and 16: NETFILTER When a packet enters the
Page 17 and 18: NETFILTER : FILTER FILTER table : I
Page 19 and 20: NETFILTER : NAT NAT table : It's us
Page 21 and 22: NETFILTER : MANGLE MANGLE table : T
Page 23 and 24: NETFILTER : RAW RAW table : This ta
Page 25 and 26: NETFILTER : RETURN TARGET RETURN ta
Page 27 and 28: NFQUEUE - It is used in Suricata to
Page 29 and 30: NFQUEUE The following picture expla
Page 31 and 32: NFQUEUE NFQUEUE number of packets p
Page 33 and 34: NFLOG - It's used to log packet by
Page 35 and 36: MIXED MODE : INTRO We are ready to
Page 37: MIXED MODE : USAGE ● ● The usag
Page 41 and 42: MIXED MODE : NINJA USAGE We could a
Page 43 and 44: MIXED MODE : NINJA A better solutio
Page 45 and 46: MIXED MODE : NINJA USAGR if we are
Page 47 and 48: RUNNING MODE A running mode specifi
Page 49 and 50: MIXED MODE : STEP 1 - The runmodes
Page 51 and 52: MIXED MODE : STEP 2 - It's forbidde
Page 53 and 54: MIXED MODE : STEP 3 Since we have m
Page 55 and 56: MIXED MODE : STEP 3 NFLOG is trying
Page 57 and 58: MIXED MODE : STEP 4 4. Figure out h
Page 59 and 60: MIXED MODE : STEP 4 And the mode is
Page 61 and 62: MIXED MODE : STEP 4 As you can see
Page 63 and 64: DEMONSTRATION Once Suricata detects
Page 65 and 66: DEMONSTRATION Solution : Deny On Mo
Page 67 and 68: DEMONSTRATION Summary : - Suricata
Page 69 and 70: DEMONSTRATION Then we add our rules
Page 71 and 72: DEMONSTRATION We are ready to start
Page 73 and 74: CONTACT - Mail : glongo@stamus-netw

SURICATA

Create successful ePaper yourself

Delete template?

Save as template?